CA Identity Manager: Capabilities and Architecture

Transcription

1 TECHNOLOGY BRIEF: CA IDENTITY MANAGER CA Identity Manager: Capabilities and Architecture Ehud Amiri CA SECURITY MANAGEMENT

2 Table of Contents Executive Summary SECTION 1 2 Managing Complexity Created by Volume and Diversity Accommodating Changing Compliance and Regulation Requirements The Identity Management Payoff SECTION 2 3 CA Identity Manager Architecture Overview Application Layers Data Repositories Software Development Kit SECTION 3 5 Designed for Enterprise-Class Scalability and Security SECTION 4 6 CA Identity Manager Capabilities Provisioning/De-Provisioning User Self-Service Delegated Administration Integrated Workflow Role-Based Access Control Interface Customization Password Management Integration Reconciliation Services Auditing and Reporting SECTION 5 14 The Strength of a Broad Identity Management Solution SECTION 6 15 CA Identity Manager Improves Speed, Efficiency and Security Improved Operational Execution Improved Administrative Control Increased User Satisfaction Assistance in Compliance Efforts SECTION 7: CONCLUSIONS 16 Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

3 Executive Summary Challenge As the distinction between employees, business partners, and customer identities blurs, organizations must ensure that users get access to the RIGHT applications at the RIGHT time. Unfortunately, traditional approaches to granting and removing this access, heavily based on manual processes, are costly and prone to errors. At the same time, external regulatory oversight and internal governance practices mandate that these interactions be managed in compliance with corporate access policies, such as ensuring proper segregation of duties, approval workflow and audit. The challenge is in balancing the expectation of today s users for immediate access against the organizational need to secure their applications, data and other resources. Opportunity Optimizing and standardizing the processes involved in managing user identities can result in a variety of business and security benefits. CA Identity Manager provides a comprehensive identity administration and user provisioning solution that manages all types of identities and covers a comprehensive set of target systems across the full identity lifecycle from creation to modification to removal. In addition, CA Identity Manager improves security by providing an authoritative point of identity administration, enforcing consistent identity policies and auditing identity-related actions. Benefits By automating processes, identity management solutions provide a higher level of efficiency that improves operational execution, consistent control and user satisfaction while assisting in compliance efforts. For example, enforcing approval workflows ensures the proper sign-off before access is granted and auditing each action helps improve security, decrease risk and address regulatory compliance objectives. CA Identity Manager is an enterprise-class solution that provides provisioning, user self-service, identity administration and more. With superior scalability, CA Identity Manager supports the needs of all your users across all applications from the Web to the mainframe. With the flexibility to support virtually any workflow process, implement delegated administration for a range of management models, enact a variety of policy-based controls and embed identity management functions into your existing applications, CA Identity Manager supports the unique needs of your business. TECHNOLOGY BRIEF: CA IDENTITY MANAGER 1

4 SECTION 1 Managing Complexity Created by Volume and Diversity The typical enterprise supports IT operations on a massive scale. Multiple decades of deploying technology has resulted in literally hundreds of applications needed by an exponentially larger set of users. Application access must be provisioned not only for employees, but increasingly for others including business partners, contractors and customers. As a result, a large enterprise may have millions of separate entitlements to manage. Compounding this issue, many businesses have followed the path of cutting edge technology, migrating from mainframes, through client-server systems, to early groupware, Internet-based computing, and now to network-based services that operate in the cloud. Yet, with every major technology transition, old applications and infrastructures stay in place, requiring ongoing maintenance and investment. Thus, the resulting enterprise IT landscape is more heterogeneous and more complex. In light of this complexity, processes for managing user accounts, entitlements, credentials and access can no longer be done in an ad hoc, decentralized or manual fashion. These types of management models introduce the potential for human error and improperly configured systems and applications. Furthermore, this approach presents costly overhead and creates inconsistencies in how corporate policies are enforced, if at all. Ultimately all of these issues increase risk, both to your data and customer relationships. Accommodating Changing Compliance and Regulation Requirements In addition to this operational complexity, virtually every organization is directly or indirectly impacted by regulatory and industry initiatives such as Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), European Union Privacy Directive or Payment Card Industry Data Security Standard (PCI DSS). Each of these regulations address various aspects of business risk which have a profound impact on data security and IT controls. For example, SOX is focused on ensuring the security, integrity and reliability of corporate financial reports. As such it established direct involvement and accountability for company's "principal officers to validate the security and accuracy of financial statements. Similarly, the HIPAA Privacy Rule regulates the use and disclosure of protected health information, while PCI DSS focuses on enhancing the protection of credit card holder information both of which have ranging security implications regarding how persons gain access to this information. Many organizations look to frameworks such as Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and related Technology (COBIT) for best practice guidance on which security aspects they need to account for. The benefit of these frameworks is that they provide a standard mapping of regulatory requirements into specific IT security controls including how organizations should manage their identities, entitlements and the relationships between them. The key is leveraging cost-effective solutions with the ability to enforce these IT security controls across the entire enterprise. 2 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

5 The Identity Management Payoff Identity Management solutions provide consistency by automating the management of relationships between people (e.g. employees, partners and customers), their credentials (e.g. Active Directory, mailbox and ERP accounts) and their access rights on each system. In doing so, Identity Management solutions enable enterprises to address previously stated challenges by: REDUCING ADMINISTRATIVE COSTS Offloading labor from IT teams by automating many day-to-day administrative tasks such as creating accounts on target systems for new employees. Identity Management also enables IT to decentralize certain responsibilities using robust, controlled delegation and self-service capabilities including password resets. SUPPORTING COMPLIANCE INITIATIVES Enforcing security controls mandated by regulations, compliance frameworks and internal/external auditors. For example, implementing sign-off processes for granting sensitive resource access, limiting excessive rights, eliminating orphan accounts and enforcing password management policies. INCREASING ACCOUNTABILITY Implementing centralized identity administration processes across systems with consistent approval workflow and detailed audit trails gives enterprises the ability to answer fundamental questions such as Who has access to what?, Why was that granted? and Who approved it? MANAGING THE ENTERPRISE SCALE Realizing each of these benefits is predicated on the ability to support enterprise scalability and distribution requirements which can involve millions of resources over thousands of applications. Identity Management solutions that are architected to address these scalability requirements will enable a successful implementation of their product capabilities. The rest of this document provides deeper insight into CA s approach to Identity Management by describing CA Identity Manager s architecture and key capabilities. SECTION 2 CA Identity Manager Architecture Overview CA Identity Manager is architected in a layered fashion to logically separate front-end components from the back-end provisioning engine. This enables tremendous scalability capable of supporting the requirements of even the largest enterprises. This distributed computing approach enables you to implement high availability and disaster recovery at each layer as requirements dictate. It also provides deployment flexibility, allowing you to start with a basic implementation and add capacity and functionality over time. TECHNOLOGY BRIEF: CA IDENTITY MANAGER 3

6 FIGURE A CA Identity Manager s layered architecture is optimal for supporting the flexibility and scalability required by today s enterprises. CA IDENTITY MANAGER ARCHITECTURE Application Layers Each application layer represents a logically independent function within CA Identity Manager which interfaces with other application layers. Layers are sometimes deployed separately to meet customer s security or scalability requirements. CA Identity Manager s application layers include: IDENTITY MANAGER APPLICATION This standards-based J2EE application serves as the user interface and business logic layer. It includes the web user interface, delegated administration framework and workflow, policy evaluation, audit and reporting services. PROVISIONING SERVER Provides IT logic services including translation between business and IT terminology and mapping users with their target system credentials. It also provides synchronization and reconciliation services to push necessary changes to endpoint systems and identify changes made outside of CA Identity Manager. CONNECTOR SERVER Interfaces with target systems and applications via connectors to support provisioning tasks. Depending on the load, network topology and network security requirements of your environment, one or more Connector Servers may be deployed. These can be co-located with the Provisioning Server or distributed on remote machines. CA Identity Manager includes a large set of out-of-the-box connectors for commonly used business applications and IT systems. In addition, custom connectors can be developed to support provisioning to home-grown applications. 4 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

7 Data Repositories Each data repository represents a logical, permanent store for certain types of data elements required by CA Identity Manager such as user records, audit records and configuration data. CA Identity Manager s data repositories include: CORPORATE IDENTITY STORE This serves as a centralized, authoritative repository for users, groups and organizational units. For enterprises which already have a centralized repository serving this purpose, CA Identity Manager can leverage this data source without replicating any existing data. Commonly used commercial LDAP and RDBMS servers are supported. PROVISIONING STORE This is an internal repository which maintains a mapping between users in the Corporate Identity Store and their associated accounts on managed systems and applications. Endpoint metadata is also stored in this repository. RUNTIME DATABASE This internal repository maintains runtime information, such as audit trails, detailed transaction history, transient workflow status and configuration data about roles, policies and workflow definitions. Software Development Kit The CA Identity Manager Software Development Kit (SDK) includes a set of documented application programming interfaces (APIs) that let you integrate and extend CA Identity Manager capabilities for your specific environment. TASK EXECUTION WEB SERVICES (TEWS) Web Services API that enables third-party applications to remotely submit CA Identity Manager tasks for execution. This capability is used by organizations to embed Identity Management services into their existing applications that their users are already using and comfortable with. BUSINESS LOGIC SDK Set of Java based APIs that can be used for embedding custom business logic inside Identity Management policies. This includes both customization of presentation logic (e.g. Logical Attribute Handlers and Business Logic Task Handlers) as well as backend logic (e.g. Event Handlers and Workflow APIs). JAVA CONNECTOR SERVER SDK Used to develop custom connectors which support provisioning to home-grown applications. These custom connectors may include provisioning of accounts and groups, association of group memberships and validation logic. SECTION 3 Designed for Enterprise-Class Scalability and Security CA Identity Manager is deployed by some of the largest enterprises in the world, including those which require the highest degrees of scalability and around-the-clock availability. This same level of service benefits not only large enterprises, but customers of various sizes, across various industries. CA Identity Manager s flexible, layered architecture has been designed to support enterprise needs, including: LAYERED CLUSTERING Clustering is supported at every CA Identity Manager infrastructure layer, including the Identity Manager Application, Provisioning Server, Connector Server and repositories. Clustering support addresses high availability as well as load balancing requirements. TECHNOLOGY BRIEF: CA IDENTITY MANAGER 5

8 COMPONENT DISTRIBUTION Depending on customers specific load requirements, CA Identity Manager can be extended horizontally by adding additional machines in a mirrored fashion. Alternatively, the deployment can be extended vertically, by dedicating machines to handling specific functions which carry the highest loads. For example, customers expecting a massive propagation of endpoint changes can deploy additional temporary provisioning servers to be used as batch servers. SCALABILITY USING CA DIRECTORY Optionally, CA Identity Manager can leverage CA Directory as the corporate identity store. CA Directory supports both LDAP and X.500, and meets the toughest scalability and performance requirements and hardware constraints, as demonstrated in a recent 100 million user scalability test conducted by an external testing laboratory. Recognizing that CA Identity Manager often maintains highly sensitive information, CA makes continuous investments to ensure the highest levels of internal product security. This enables the management of users and their access rights across the entire enterprise, while maintaining the highest product security disciplines in accordance with industry best practices: CRYPTOGRAPHY CA Identity Manager uses the Advanced Encryption Standard (AES), incorporating proven cryptographic libraries Crypto-J v3.5 and Crypto-C ME v2.0. These cryptographic requirements include encryption algorithms, key sizes and implementation for handling sensitive data. FIPS SUPPORT Federal Information Processing Standards (FIPS) is a security standard for the cryptographic libraries and encryption algorithms which ensure high standards of data security. DATA SECURITY CA Identity Manager secures data at rest and in transit by using secured protocols over all communication channels between components and endpoints. In the majority of cases, this includes usage of standard protocols over SSL, such as HTTP over SSL (HTTPS) and LDAP over SSL (LDAPS). SECTION 4 CA Identity Manager Capabilities CA Identity Manager provides a comprehensive set of functionalities which enable you to automate the various identity management processes in your organization. These capabilities provide added value when used in conjunction with one another, but can often be implemented in a standalone fashion, enabling phased deployments. This section discusses the various capabilities of CA Identity Manager. Provisioning/De-Provisioning Provisioning involves automating the process of adding, modifying and deleting users and their attributes. This includes managing users profile attributes, including their role memberships and their associated access rights. CA Identity Manager supports these operations and goes beyond the traditional boundaries of organizations to automate these processes across the extended enterprise. 6 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

9 ALL IDENTITY TYPES IT organizations are being increasingly asked to manage identities across the enterprise, whether that includes internal users (e.g. employees), external users (e.g. customers or partners) or identities not directly owned by a single person (e.g. root accounts). CA Identity Manager provides a single solution with the ability to manage all types of identities, providing greater consistency across the entire enterprise. FINER-GRAINED ENTITLEMENT MANAGEMENT CA Identity Manager can manage entitlements at a range of depths, from coarse- to finer-grained entitlements. For example, customers who invested in developing detailed SAP role models can automate provisioning down to the SAP role level. Unlike traditional identity management systems, CA Identity Manager leverages these roles directly out of target systems instead of requiring redundant definition of each SAP role in CA Identity Manager. These application roles can be augmented by CA Identity Manager business roles in defining workflows and business processes. This flexibility is important in leveraging existing investments, reducing replication of data and driving down the cost of maintaining the deployment over time. POLICY MODELING Policy Xpress lets you configure policies that execute your unique, complex business processes. Traditional approaches generally acheive this through custom code development, but this wizard-based tool lets you build policies in-house within hours, rather than requiring weeks of programming. This helps reduce the costs of internal development and ongoing maintenance, and you will no longer be locked into unsupported, aging software. With Policy Xpress, you can quickly and easily respond to organizational changes, without having to manage an entire software development effort. MASS UPDATES Organizations often need to support massive entitlement changes as a result of enterprise structure changes, such as the merging of business units or acquisition of new companies. CA Identity Manager supports these types of mass changes using a bulk loader service. Changes can be initiated by feeding in an information file where each text line represents a requested change. CA Identity Manager can also apply a common change to many users which match certain criteria, such as applying the same change to all current employees at a certain site. TASK SCHEDULING Provides the ability to set transactions for future execution based on date/time criteria. For example, an administrator can instruct CA Identity Manager to create a new employee profile upon their hire at the beginning of next month or set up a temporary identity for contractors who have known start and end dates. User Self-Service CA Identity Manager enables organizations to reduce IT and help desk workloads by empowering users to resolve identity-related issues on their own. Through an easy-to-use web interface, users can manage many aspects of their identity through various functions including: SELF-REGISTRATION Enables users to register for web applications through a publicly available web page. The user interface can be easily configured to request the specific information required by the organization depending on the type of user. This capability is frequently used for the purpose of managing external users of consumer-based applications. FORGOTTEN PASSWORD AND PASSWORD RESETS Instead of calling the help desk to reset a forgotten password, users can identify themselves via alternative means of authentication TECHNOLOGY BRIEF: CA IDENTITY MANAGER 7

10 such as a series of custom questions. Upon proper authentication, they can set a new password for their global account or for any of their application accounts. ACCESS REQUESTS Allows users to request additional access via the CA Identity Manager web interface or your existing web portal. This greatly decreases costs by reducing the requirement for administrators to process and manually manage the workflow associated with providing additional access. SELF-ADMINISTRATION Enables users to maintain certain elements of their identity profiles while administrators retain granular control over what attributes can be changed or not. This enhances the user experience by providing an alternative to relying on the help desk for simple identity changes such as their home address or phone number. Delegated Administration CA Identity Manager includes a comprehensive set of capabilities that enable you to define what business operations each user can perform, and under which business restrictions. This enables you to regulate who can do what, to whom. Delegation models are based on combinations of roles and rules and can include custom logic for modeling unique delegation logic as needed. WORKFLOW-BASED DELEGATION CA Identity Manager provides the ability to easily create and apply approval processes so users can feel confident their actions will be appropriately delegated. Each approval can, in turn, be subject to delegation, allowing approvers to further delegate or transfer approval authority if it was improperly assigned. GRANULARITY OF DELEGATION Delegation of capabilities (e.g. create user, approve access request, view system report) can be defined based on user or organizational attributes or a combination of both, including: User attributes such as job title or location. Organizational structure, including explicitly identified organizations or dynamic groups such as "users in organizations that match a filter criteria. Groups containing the user, including explicitly identified groups or sets of groups that match filter requirements. Participation in roles including membership, administration or ownership of admin, access or provisioning roles. SCOPING Defining the scope on which subjects one can take action follows the same model as above, but also includes the ability to define dynamic, instance-specific rules. For example, a user can have scope over "all users in Sales" or "all users at my location. TEMPORARY DELEGATION Users (the delegator) can specify that another user or combination of users have the authority to approve tasks or work items during periods when the delegator is "out of the office." Integrated Workflow CA Identity Manager s embedded workflow engine allows organizations to implement business processes which provide control over delegated administration capabilities. This workflow is highly flexible and capable of supporting varying business requirements through template definition, escalation, parallel approvals, serial approvals and multi-step approvals. Workflow integration includes: 8 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

11 FIGURE B Customization of workflow processes can be accomplished using an intuitive drag and drop user interface. WORKFLOW TEMPLATES These allow you to generically define workflow processes once using a drag and drop user interface and reuse them across specific processes. Separating the definition of the process flow from the process data enables you to reuse logic and minimizes the cost associated with repeatedly changing processes. CA Identity Manager provides a set of out-of-the-box workflow templates and supports creation of custom workflow templates. APPROVALS Workflow can be established to require a person to approve an event, such as modification to a user profile, before CA Identity Manager updates a user store. Approvers are administrators who have been assigned rights within the approver role for a particular task. NOTIFICATIONS The workflow engine can notify users of an event s status at different stages of a process, for example when a user initiates an event or when an event is approved. WORK LIST GENERATION Work lists specify the tasks that a particular user must perform. The workflow engine updates administrators work lists automatically. WORKFLOW DESIGNER Role-Based Access Control Roles simplify identity management by aggregating similar users and their common privilege assignments into abstracted, business-relevant groupings. In doing so, roles reduce the number of relationships that must be managed, provide better business representation of these relationships and enable more efficient identity management. For example, an organization with 20,000 users and 100 applications may need to manage several millions of individual privileges. Building a role model of several hundred roles to represent most of these individual privileges greatly simplifies and reduces the cost of ensuring appropriate access is granted to those users. CA Identity Manager supports the following types of roles: TECHNOLOGY BRIEF: CA IDENTITY MANAGER 9

12 PROVISIONING ROLES These roles are used to grant users with access to target system accounts (e.g. SAP, Active Directory, ) and the appropriate level of privileges within these accounts (e.g. membership to SAP Roles). Provisioning Roles include a collection of Account Templates which are a description of rules required for creating new target system account with associated permissions. These rules can leverage user profile data, other account attributes or constant values. Provisioning Roles are fundamental to CA Identity Manager s robust automation of administrative activities such as creation and modification of user accounts. ADMIN ROLES Admin Roles grant privileges within the CA Identity Manager web user interface. Admin Roles support fine-grained controls over the actions a user that can perform ( What can a user do? ) and across the scope these actions can be performed ( On which subjects can these actions be performed? ). Similar to Provisioning Roles, Admin Roles support rule-based membership policies that provide the flexible foundation for the delegation of duties within CA Identity Manager. Interface Customization The effectiveness of Identity Management systems is often predicated on the rate of adoption from users and administrators. CA Identity Manager s web user interface is highly configurable, allowing you to provide the right user experience and level of detail for each user in the organization. The user interface can be customized in the following ways: APPEARANCE The look and feel of the CA Identity Manager web user interface can be configured to match the organizational standard in terms of logos, color palettes, font types and other visual characteristics. In addition, terminology used within the interface can be customized to improve the user experience. FORMS AND ATTRIBUTES Each screen in the web interface is composed of visual forms through which users can input information or make appropriate selections. These forms can be configured down to the level of the user schema or can include custom attributes. CA Identity Manager includes a point and click form designer which allows you to designate field layout and configuration. CUSTOM LOGIC The user experience and flow of activities can be further customized by leveraging CA Identity Manager s Java SDK to develop custom logic snippets. Hooks are available for delivering calling plug-ins before and after a task screen is displayed (called Business Logic Task Execution), before and after an attribute is displayed (called Logical Attribute Handler) and based on specific task processing events (called Event Handler). WEB SERVICE INTEGRATION In addition to allowing you to customize components within the web user interface, you can completely remove identity management capabilities from CA Identity Manager and embed them into your own custom interfaces. This is possible because CA Identity Manager exposes all user interface tasks as web services including self-service, delegated administration and system administration tasks. 10 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

13 FIGURE C The CA Identity Manager web interface look and feel can assume be customized to accommodate the organization s requirements. CUSTOMIZED VERSIONS OF THE WEB USER INTERFACE Password Management CA Identity Manager includes a comprehensive set of password management services which increase security by enforcing consistent password policies across the organization. These also combine with self-service password reset capabilities to reduce the cost of password-related help desk calls. PASSWORD POLICIES Enforce different password strength requirements for different users, ensuring that sufficiently strong passwords are used to protect critical applications and accounts. Password restrictions include: minimum password length, maximum repeating characters, upper-/lower-case letter requirements, combination requirements (of letters, digits, punctuation, non-printable and non-alphanumeric character sets), custom dictionary tests and comparison against user profile attributes. PASSWORD SYNCHRONIZATION CA Identity Manager can propagate passwords across target systems, including synchronizing operating system-level password changes back to CA Identity Manager across Windows, Unix and mainframe environments. NATIVE WINDOWS LOGON CA Identity Manager has the ability to enhance the native Windows Vista Credential Provider and Windows Graphical Identification and Authentication (GINA) interfaces to add forgotten password functionality within the standard Windows logon dialog. TECHNOLOGY BRIEF: CA IDENTITY MANAGER 11

14 Integration Identity Management benefits often depend on the ability to integrate with the existing IT infrastructure and applications in a fast, scalable and non-intrusive fashion. CA Identity Manager addresses these needs by providing a combination of rich, out-of-the-box connectors and tools that easily facilitate integration with custom infrastructure and applications. OUT-OF-THE-BOX CONNECTORS CA Identity Manager includes a broad set of pre-built connectors that provide provisioning integration with many popular web, client-server and mainframe applications. These include major computing platforms, enterprise applications, databases, collaboration environments and industry-standard interfaces. CONNECTOR XPRESS This wizard-driven utility allows you to generate custom connectors via a graphical user interface without coding. Connector Xpress greatly reduces the level of technical expertise which is generally required for creating connectors with other identity management solutions. This enables the creation of custom connectors within hours rather than days or weeks. CONNECTOR SDK CA Identity Manager provides an SDK for developing Java-based custom connectors. This is the same SDK used by CA in developing our out-of-the-box provisioning connectors. FIGURE D CA Identity Manager delivers out-of-the-box connectors for many commonly used business applications and IT platforms. CA IDENTITY MANAGER CONNECTORS Mainframe Systems IBM RACF CA ACF2 CA Top Secret DB2 for z/os ERP Systems Oracle Applications PeopleSoft SAP Siebel CRM Groupware Exchange 2000/2003 Exchange 2007 Lotus Notes Domino Server Host/Servers Windows NT Windows 2000 Windows 2003 Windows 2008 Active Directory Sun Solaris HP-UX IBM AIX HP Tru64 Red Hat Linux SuSE Linux AS/400 OpenVMS Novell NDS/Binderies HP NSK Safeguard NCR MP-RAS SGI IRIX General Interfaces JDBC/JNDI LDAP ODBC SPML SDK Web Service/WSDL Connector Xpress CA Solutions CA Single Sign-On CA Access Control CA Embedded Entitlements Manager CA SiteMinder Web Access Manager* Authentication Servers RSA SecurID ActivIdentity CMS Entrust PKI Databases IBM DB/2 Oracle MS SQL Server *Native connection 12 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

15 Reconciliation Services Synchronizing identities and access rights across the enterprise requires bi-directional connectivity with managed systems. In previous sections, we focused on the propagation of changes from CA Identity Manager to endpoint systems. Reconciliation services, called Reverse Synchronization in CA Identity Manager, recognize changes made directly on endpoint systems, determine if they are within policy and synchronize them across other systems as appropriate. SYSTEM ACQUISITION Once a new managed system is defined, the reconciliation service discovers the list of existing accounts and automatically maps these accounts to users based on correlation rules. Accounts that do not satisfy correlation rules are flagged as orphan accounts for manual review. The system owner can either associate accounts to users, mark them as System Accounts, disable accounts or delete accounts. AUTHORITATIVE SYSTEM SUPPORT Authoritative systems are business applications or IT platforms designated as the source of certain user or account attributes. For example, in many enterprises a human resources application is the authoritative source for employee information such as full name, job title and organizational hierarchy. CA Identity Manager supports the option to have multiple authoritative systems, each with authority over part of the user population or a subset of attributes. The ability for changes made at authoritative sources to override existing information in CA Identity Manager can be set at multiple levels: USER Authoritative System records can be mapped to CA Identity Manager user entities. Changes to these objects trigger tasks, such as Create User, Modify User and Delete User. ACCOUNT Authoritative System records are mapped to CA Identity Manager individual accounts. An individual user may have multiple associated accounts with different synchronization policies for different user profile and account attributes. ATTRIBUTE Authoritative Systems can have the ability to make updates on certain attributes but not authorized to change others. CHANGE RECOGNITION By comparing the known status of accounts in CA Identity Manager with the actual assignment of these accounts in the target systems, Reverse Synchronization discovers when unauthorized changes have taken place. Based on this, it can initiate automated alerts or remediation processes such as triggering of manual review by an administrator or initiating revert actions for these changes. Auditing and Reporting CA Identity Manager s audit service captures a complete trail of business changes, provides ad-hoc query capabilities and optionally integrates with CA Security Information and Event Management (SIEM) solutions for cross-domain forensic and reporting analysis. In addition, CA Identity Manager s reporting services offer the following capabilities: ENTERPRISE-CLASS REPORTING CA Identity Manager includes an embedded version of Business Objects Crystal Reports XI. This scalable approach enables organizations to build customized reports which support enterprise requirements. TECHNOLOGY BRIEF: CA IDENTITY MANAGER 13

16 SNAPSHOT WAREHOUSE Organizations can periodically schedule capturing of current organizational access policy and actual entitlements assignments. The recorded information is stored in a relationship database as an individual snapshot, representing the status at a particular date. Viewing the progression of snapshots stored in the warehouse provides a historical view of access assignments. This information can be used in a forensic scenario to produce reports of assignments at a particular date, or for trending to show the evolution over time and provide visibility into gradual changes happening in the organization. OUT-OF-THE-BOX REPORTS CA Identity Manager includes a set of pre-built reports which provide valuable visibility into the identity management operation and efficiency through entitlements, policies and workflow insight. FIGURE E CA Identity Manager provides a robust enterprise-grade reporting framework using Business Objects Crystal Reports XI infrastructure. IDENTITY AND ENTITLEMENT REPORTS SECTION 5 The Strength of a Broad Identity Management Solution Organizations are increasingly facing a variety of identity related challenges, whether that involves on-boarding new employees in a timely manner, providing users with self-service password reset capabilities or ensuring the appropriate approval processes are tracked in a consistent manner. Identity Management solutions address these challenges while promising significant efficiencies in operational costs, risk mitigation and regulatory compliance. CA Identity Manager helps organizations maximize this potential value by covering all types of users, over the broad range of applications used by your organization and throughout a lifecycle of identity-related business processes. This is delivered on an architectural foundation optimized to address the scalability and agility requirements of your organization in today s ever demanding business environment. 14 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

17 CA Identity Manager provides native integration with CA Role & Compliance Manager to enable your organization to manage user identities, roles and policies throughout their lifecycles. Information about user identities and their privileges from CA Identity Manager can be cleaned-up and used as the basis for an accurate role model and identity compliance policies in CA Role & Compliance Manager. This information can be then be fed back into CA Identity Manager for use in role-based provisioning decisions and enforcement of appropriate security policies. CA Identity Manager is also part of the complete and proven Identity and Access Management (IAM) solution from CA that helps you manage users and protect IT assets across all platforms and environments. As such, it contributes to your ability to optimize the performance, reliability and efficiency of your overall IT environment. CA Identity Manager provides integration, which enables you to provision to and manage users for many of CA s other leading IAM solutions including CA SiteMinder Web Access Manager, CA Access Control and CA Single Sign-On. The next step is to tightly integrate the control and management of distinct functions such as operations, storage and lifecycle and service management, along with IT security. This higher level of management control is EITM CA s vision for a dynamic and secure approach that integrates and automates the management of applications, databases, networks, security, storage and systems across departments and disciplines to maximize the full potential of each. CA s comprehensive portfolio of modular IT management solutions helps you unify and simplify IT management across the enterprise for greater business results. SECTION 6 CA Identity Manager Improves Speed, Efficiency and Security Identity management can take many forms depending on the needs of your organization. Each element of identity management provides its own benefits, including the following: Improved Operational Execution Manually managing users or building user management into individual applications is an expensive and time-consuming proposition. Between the labor and inevitable mistakes involved in adding, modifying and removing users, ensuring each user has access that is consistent with his/her relationship with the firm is typically tremendously expensive. Automating many of these functions dramatically streamlines an organization s ability to manage users (regardless of whether they are employees, authorized partners or customers). CA Identity Manager can greatly reduce the hours of security administration time and help desk hours spent by an organization. In addition, errors are minimized as automation ensures that consistent and accurate accounts are created, modified and revoked on each target system without human intervention. CA Identity Manager delivers what organizations need timely and error-free provisioning of accounts, credentials and entitlements. TECHNOLOGY BRIEF: CA IDENTITY MANAGER 15

18 Improved Administrative Control Doing things cost-effectively is not enough anymore. Organizations also need to show they are in control of who can access corporate data and their business processes. This task is difficult enough for static resources, but becomes exponentially more challenging with the proliferation of additional applications, trading communities and collaborative business processes. All told, this creates significant security exposure as poorly configured roles or access rights can provide unauthorized users with access to sensitive information. Control is not just a watchword; it is a corporate mantra. CA Identity Manager provides the broad platform and application support to implement administrative consistency across target systems and ensure the corporate policies are enforced with detailed and tamper-proof audit records. Increased User Satisfaction Requiring users to deal with multiple identities for multiple applications stymies their ability to get things done. There is also a lot to be said about providing positive early impressions for new users by having everything (key applications, voice mail, , facilities access) ready when they need access. CA Identity Manager provides advanced self-service capabilities and a sophisticated workflow environment to map to your business processes, not vice-versa. Users that access the right resources with consistent credentials can focus on their work and be more productive, without worrying about their access or privileges. Assistance in Compliance Efforts There is no way around it; both internal and external auditors are a factor in all IT operations. Understanding who has accessed what and why, being able to document this and how someone received data is a critical aspect of proving compliance with various regulations around the world. The key requirement of virtually all IT/security-related regulations involves the creation of strong internal controls. This means that all users must be uniquely identified, their access to protected resources must be tightly controlled based on a defined security policy, and security events must be easily auditable. CA Identity Manager provides the ability to enforce clear segregation of duties, while providing both system and compliance-specific reports to substantiate the controls during an audit. SECTION 7: CONCLUSIONS Identity management is a function that every organization needs to provide. Employees need access to applications when they join or change roles within your company. Business partners need data to perform their upstream processing functions. Customers need assistance when they forget an account password or need to update their user profile. Your organization still needs to track when these changes occur if they impact sensitive resources. These processes are being performed on a daily basis, the question is, what does it cost your organization to support them in terms of user satisfaction, productivity and security? 16 TECHNOLOGY BRIEF: CA IDENTITY MANAGER

19 By automating these processes, CA Identity Manager provides a higher level of consistency and efficiency that benefit both your organization and your users. On-boarding and offboarding employees can be conducted in a timely manner according to user roles and corporate policies, both increasing security and improving user experience. Approval workflows are enacted as needed to ensure the proper sign-off before a user is provisioned with access to accounts or physical assets. And each of these actions can be audited to help your organization address regulatory compliance, privacy or governance objectives. CA Identity Manager is an enterprise-class solution that provides all of these functions and more. With superior scalability proven in some of the largest enterprises in the world, CA Identity Manager has the ability to support the needs of all your users, of any type, across all applications from the Web to the mainframe. While providing the flexibility to support virtually any workflow process, enact a variety of policy-based controls and embed function into any interface, CA Identity Manager supports the unique needs of your business and delivers a seamless user experience. To learn more about CA Identity Manager and its ability to help you to unify and simplify IT management for better business results, visit TECHNOLOGY BRIEF: CA IDENTITY MANAGER 17

20 CA (NASDAQ: CA), one of the world s leading independent, enterprise management software companies, unifies and simplifies complex information technology (IT) management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT. MP Learn more about how CA can help you transform your business at ca.com